FBI to Share Compromised Passwords With Have I Been PwnedWill Help Prevent Users From Reusing Risky Passwords
The FBI will soon begin sharing hashes of compromised passwords found in the course of its cybercrime investigations with Have I Been Pwned, the data breach notification service.
The password hashes will contribute to Pwned Passwords, a service used to help warn users against reusing passwords that have been leaked in data breaches, says Troy Hunt, the Australian developer who created Have I Been Pwned
The stolen and leaked data the FBI comes across in investigations - which usually would be kept secret - can now be utilized for active defense against account takeovers. It will help prevent bad outcomes stemming from the misuse of data obtained in data breaches.
"The folks I've spoken to there [the FBI] have been absolutely fantastic," Hunt says. "They are really dedicated passionate people wanting to make a positive difference."
It's a sign that HIPB is increasingly being viewed as a critical outreach partner. It also shows an evolving view that in addition to arrests and shutdowns, remediation is an important component of fighting cybercrime and fraud.
Last month, the FBI shared 4.3 million email addresses that had been harvested by the Emotet botnet, which was shut down in a global law enforcement action. It marked the first time the FBI had reached out to HIBP with help in notifying victims (see FBI Shares Email Addresses to Speed Emotet Cleanup).
HIBP has also seen wider take up by governments. Seventeen governments are now using HIBP service to get alerts when email addresses related to their domains are ensnared in a breach. The latest, announced this week, is Trinidad and Tobago.
Discouraging Password Reuse
Pwned Passwords now contains 613 million hashes of compromised passwords. It is available as a web service, which is now generating 1 billion queries per month, Hunt says. It's also available as a downloadable 12GB list that can be integrated into organizations' own systems or other software.
For example, the 1Password password manager uses Pwned Passwords within its application to alert users to reused passwords. Another service, Safepass.me, uses the NTLM hashes within Pwned Passwords to enable organizations to scan the NTLM hashes in their own Active Directory systems to check for reuse.
The FBI will supply compromised passwords as SHA-1 and NTLM hashes, Hunt says. Pwned Passwords only stores hashes and not plain-text passwords. Hashes are created by running a plain-text password through an algorithm.
The password hashes are not linked to email addresses. Also, Pwned Passwords does not identify which breach the hash appeared in but rather just how many times the password turned up in HIBP's database.
Hunt is calling for help in creating a way to ingest the data sent by the FBI. He announced Friday that Pwned Passwords will become an open-source project with help from the .NET Foundation.
Making Pwned Passwords open source has several advantages, Hunt writes in a blog post. It increases transparency around the project and allows organizations to take the code and run it as their own freestanding service.